This is a basic one for HIPAA security and it is not hard to do. When someone enters the wrong password 5 times, you should lock them out for at least 30 minutes.
Why would you do this? It stops someone from running an attack on a computer if they find out a valid username.
The article is here: http://resetchangewindows7password.com/automatically-lock-out-windows-7-...
Here are the important parts, but you should just go visit the article since it is well-illustrated.
Once you are logged into Windows, click on the start menu.
Type "secpol.msc" in the search field and hit Enter (or click on the first result).
Launch the Local Security Policy snap-in editor in Windows 7
When the Local Security Policy editor / snap-in opens, double-click on "Security Settings" to expand it if needed; otherwise, directly double-click on "Account Policies".
Select "Account Lockout Policies" on the left, and 3 configurable options will load on the right:Configure Account Lockout Security settings in Windows 7
The "Account Lockout Threshold" value determines how many invalid logons Windows 7 will accept to handle before taking action; by default, this is set to zero, but the setting described next is also set to "Not Applicable" - no action taken, in other words.
Double-click on Account lockout threshold, and enter a number (of wrong username / password entered) of your choice. Click "OK" to apply your setting, and Windows 7 will suggest default values for the two remaining settings - you can click "OK" to accept them as well, but we'll describe them anyway; in our case (5 attempts), Windows suggests 30 minutes for each:
Windows 7 default lockout options
The "Account Lockout Duration" setting, which you can edit by double-click on it, determines how many minutes should pass after the last unsuccessful login attempt, before Windows 7 allows someone to try to logon to that particular user account (this doesn't affect other profiles on that same computer, but will affect remote logins to the user account in question).
With the "Reset Account Lockout Counter After" option, Windows 7 lets you customize how long it will remember the lockout "penalty", with the number of invalid login attempts; this will typically be the same value as Account Lockout Duration, but you could ensure Windows to enforce stiffer penalties well after that initial lockout duration. Example: if Account lockout duration is "30 minutes", someone can try again to sign in to that user account after 31 minutes: if Reset account lockout counter is also 30 minutes, Windows 7 starts counting invalid credentials at zero (but will let the user in if credentials are valid). If your lockout counter is set to a larger amount of time (say, one hour), Windows would lock that user account after a single invalid logon, since it "remembers" that a person already tried so many times before that point.
To disable automatic user account lockout, just set the "Account Lockout Threshold" back to zero, and Windows will automatically set the two other settings to "Not Applicable" when you click "OK".